Thales Blog

Closing the Gap in External Key Management Storage Security

December 16, 2020

Robert Masterson Robert Masterson | Senior Partner Marketing Manager More About This Author >

Concerns over data security continue to rise. In the global marketplace the amount of private data expands, and the physical locations where data is stored are spread far and wide. Gone are the days of corporations operating a single, tightly secured data center, where access is limited, and server hardware physical security is well assured. To meet the need for fast response times and disaster recovery plans (and to follow regulatory requirements that mandate onshore private data storage), most organizations have multiple data centers running private clouds. With this distributed multi-data-center architecture, the physical security of stored data, and even whole servers, is at higher risk.

Self-encrypting Drives, or SEDs, offer instant, transparent encryption of data on servers and storage. This Data at Rest form of data protection renders the private customer and corporate information inaccessible if the drive is stolen. While this data protection strategy is very effective, there are potential gaps in the security a hacker could use to gain access.

One such gap is where and how the private encryption keys are managed and stored. Private keys are at the root of how SEDs are “locked up.“ Authorized users have access to the keys needed to decrypt and unlock the data stored on the SED. Unfortunately, the use of on-board key management software can mean the keys are stored on the same server or storage device as the data. If the whole server walks out of the data center, the hostile actor could potentially locate the keys and gain access to the encrypted data.

External Key Management to the Rescue

Dell Technologies helps close this gap with its new Secure Enterprise Key Management (SEKM) feature. SEKM couples Dell’s SED with Thales’s CipherTrust Manager and Luna hardware security modules (HSMs). With SEKM, cryptographic keys are generated, managed, and stored externally to the server or storage array and away from the data. So, regardless of how elegant the hacker’s tools are, the private encryption keys are stored externally in the HSM, and the secured private data remains safe. In fact, you can learn more about it in Dell’s recent blog post on Data Security for PowerEdge Servers Made Easy.

CipherTrust Manager is the central management point for Thales’s CipherTrust Data Security Platform. It manages key lifecycle tasks including generation, rotation, destruction, import and export. It provides role-based access control to keys and policies, supports robust auditing and reporting, and offers developer friendly REST APIs. Luna on premises and cloud HSMs are hardened, tamper-resistant hardware devices that strengthen encryption practices by generating keys, encrypting and decrypting data, and creating and verifying digital signatures.

Because CipherTrust Manager is external to Dell’s SEDs, the keys have the highest possible availability, and their power to enhance data security can be leveraged across many systems. This scalability extends the value of the key management components. Deploying this key management solution across the organization also simplifies policy management and regulatory compliance audits. Incorporating Thales Luna HSMs adds the strongest possible root-of-trust, high entropy of the generated keys, and a FIPS 140-2 Level 3 certified hardware vault to hold these critical private keys.

Dell Technologies’ SEKM is integrated with Thales products through the industry standard KMIP protocol, so, there is no lock-in strategy -- no proprietary hooks to limit your choices. SEKM strengthens Dell’s SED security, adds scalability, and simplifies storage security management.

To learn more, read about Dell EMC PowerEdge Servers SEKM with CipherTrust Manager.